Channels

Services

Credit card security codes offer little protection

The three digit security code (Credit Card Validation Number, CVN) on credit cards clearly offers insufficient protection from abuse, according to a report on german television channel ZDF's WISO business magazine program yesterday (Monday). The security code is intended to ensure that the card can only be used by its owner. According to the report, however, possession of a credit card's card number and expiry date is all a fraudster needs to be able to make purchases online. In tests, security services provider Syss found that at 80 percent of online shops it was in fact possible to simply try out every possible security number online, using, for example, an automated brute force attack.

Neither shops nor credit card associations, such as VISA or Mastercard, have prevented this by blocking further attempts after a certain number of failures, as is the case when using a cash card at a cash machine. Syss executive director Sebastian Schreiber confirmed the existence of the problem to heise Security. He stated that, in his opinion, the credit card associations had to take responsibility for resolving the problem. After a certain number of failed attempts, further attempts or even the card itself should be blocked. He noted that the credit card industry advertises on the basis of its multi-layered fraud prevention system, but that this is in fact mere window dressing - these systems were invisible during testing and did not block access.

In his opinion, in order to prevent cards from being blocked by malicious individuals, both the credit card number and the expiry date should be used. If both are correct, then you can probably assume that you are dealing with the owner of the card or a fraudster, and not just a prankster.